[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2181
  • Last Modified:

Windows 2008 R2 Event Log

2008 R2 64bit

I am in the process of defining a GPO on the default Domain controllers policy and I had enabled the following for audits:
1) Audit Logon Events (S/F) = Success and Failure
2) Account Management
3) Directory Service Access
4) Policy Change

I used best practice from MS to set the Max size for application, security and systems to 4194240 kb.

Now moving to the Retain and Retention, can anyone guide me on what would be best definied. I want to have the event there at least up to 90 days.
0
shoris
Asked:
shoris
  • 2
  • 2
1 Solution
 
page1985Commented:
I would select the option to overwrite events as needed.  The size you have set the log to (4GB) should be way more than sufficient to handle audits for 90 days.

If you set anything else, people will be prevented from loggingin if the log fills up and you don't clear it.
0
 
Kiran ChCommented:
It would be a tricky answer. I would suggest you to plan for automatic archiving of eventlogs after certain number of days.
http://www.petri.co.il/event_logs_archiving_with_gpo.htm

Also there is another thread going on a similar topic. You can read it as well.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27847609.html
0
 
shorisAuthor Commented:
Thank you. So since I set it at 4gb and appled the retention override as needed, does that mean that if the log fills to 4gb then the retention will kick in and clear it. This way I don't have to clear it myself or risk of logs filled before any user can't login.
0
 
page1985Commented:
It will not clear the entire log.  It will "roll" the log, which means when you reach the 4GB mark, it will continue logging by replacing the oldest entry in the log first.  So if you write 5 entries, the oldest 5 entries will be lost.  Thereby we maintain the 4GB file size and still continue logging.
0
 
shorisAuthor Commented:
Thankyou so much for the explaination. Excellent. that works out.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now